If you ping the broadcast address of a network, all hosts are supposed to

@@ -6799,7+6799,7 @@ Maximum number of retries for multicast solicitation.

<Term>/proc/sys/net/ipv4/neigh/DEV/proxy_delay</Term>

<ListItem>

<Para>

-Maximum time (real time is random &lsqb;0..proxytime]) before answering to an ARP

+Maximum time (real time is random [0..proxytime]) before answering to an ARP

request for which we have an proxy ARP entry. In some cases, this is used to

prevent network flooding.

</Para></ListItem>

@@ -9016,36+9016,35 @@ If the last two lines give an error, update your tc tool to a newer version!

<para>

Adjust CEIL to 75% of your upstream bandwith limit by now, and where I use eth0, you should use the interface which has a public Internet address. To begin our example execute the following in a root shell:

We have just created a htb tree with one level depth. Something like this:

<Screen>

-+---------+

-| root 1: |

-+---------+

- |

-+---------------------------------------+

-| class 1:1 |

-+---------------------------------------+

- | | | | | |

-+----+ +----+ +----+ +----+ +----+ +----+

-|1:10| |1:11| |1:12| |1:13| |1:14| |1:15|

-+----+ +----+ +----+ +----+ +----+ +----+

++---------+

+| root 1: |

++---------+

+ |

++---------------------------------------+

+| class 1:1 |

++---------------------------------------+

+ | | | | | |

++----+ +----+ +----+ +----+ +----+ +----+

+|1:10| |1:11| |1:12| |1:13| |1:14| |1:15|

++----+ +----+ +----+ +----+ +----+ +----+

</Screen>

-

<VariableList>

<VarListEntry>

<Term>classid 1:10 htb rate 80kbit ceil 80kbit prio 0</Term>

@@ -9114,12+9113,12 @@ If the last two lines give an error, update your tc tool to a newer version!

<para>

Now we set the filters so we can classify the packets with iptables. I really prefer to do it with iptables, because they are very flexible and you have packet count for each rule. Also with the RETURN target packets don't need to traverse all rules. We execute the following commands:

I assume you have all your tables creak and with default policy ACCEPT ( -P ACCEPT ) if you haven't poked with iptables yet, It should be ok by default. Ours private network is a class B with address 172.17.0.0/16 and public ip is 212.170.21.172

</para>

<para>

Next we instruct the kernel to <emphasis>actually do NAT</emphasis>, so clients in the private network can start talking to the outside.

When we are done adding rules to PREROUTING in mangle, we terminate the PREROUTING table with:

<Screen>

-iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6

+iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6

</Screen>

So previously unmarked traffic goes in 1:15. In fact this last step is unnecessary since default class was 1:15, but I will mark them in order to be consistent with the whole setup, and furthermore it's useful to see the counter in that rule.

</para>

@@ -9205,9+9211,9 @@ If the last two lines give an error, update your tc tool to a newer version!

<para>

If you find that some classes are full most of the time it would be a good idea to attach another queueing discipline to them so bandwith sharing is more fair:

<Screen>

-tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10

-tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10

-tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10

+tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10

+tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10

+tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10

</Screen>

</para>

@@ -9215,7+9221,7 @@ If the last two lines give an error, update your tc tool to a newer version!

<sect2>

<Title>Making all of the above start at boot</Title>

<para>

- It sure can be done in many ways. In mine, I have a shell script in /etc/init.d/packetfilter that accepts [start | stop | stop-tables | start-tables | reload-tables] it configures qdiscs and loads needed kernel modules, so it behaves much like a daemon. The same script loads iptables rules from /etc/network/iptables-rules. I will beautify it a little and will make it available on my web page <ULink URL="http://omega.resa.es/piotr/files/packetfilter.tar.bz2">here</ULink>

+ It sure can be done in many ways. In mine, I have a shell script in /etc/init.d/packetfilter that accepts [start | stop | stop-tables | start-tables | reload-tables] it configures qdiscs and loads needed kernel modules, so it behaves much like a daemon. The same script loads iptables rules from /etc/network/iptables-rules which can be saved with iptables-save and restored with iptables-restore.

Don't be afraid by this diagram, zebra does most of the work automatically, so it won't take any work to put all the routes up with zebra. It would be painful to mantain all those routes by hand in a day to day basis. The most important thing you must have clear, is the network topology. And take special care with Area 0, since it's the most important.

First configure zebra, editing zebra.conf and adapt it to your needs:

<screen>

-hostname omega

-password xxx

-enable password xxx

-!

-! Interface's description.

-!

-!interface lo

-! description test of desc.

-!

-interface eth1

-multicast

-!

-! Static default route

-!

-ip route 0.0.0.0/0 212.170.21.129

-!

-log file /var/log/zebra/zebra.log

+hostname omega

+password xxx

+enable password xxx

+!

+! Interface's description.

+!

+!interface lo

+! description test of desc.

+!

+interface eth1

+multicast

+!

+! Static default route

+!

+ip route 0.0.0.0/0 212.170.21.129

+!

+log file /var/log/zebra/zebra.log

</screen>

In Debian, I will also had to edit /etc/zebra/daemons so they start at boot:

<screen>

-zebra=yes

-ospfd=yes

+zebra=yes

+ospfd=yes

</screen>

Now we have to edit ospfd.conf if you are still runnig IPV4 or ospf6d.conf if you run IPV6. My ospfd.conf looks like:

Ignore the SMUX_CLOSE message by now, since it's about SNMP. We can see that 192.168.0.1 is the <emphasis>Designated Router</emphasis> and 192.168.0.2 is the <emphasis>Backup Designated Router</emphasis>

We can see the zebra routes, that weren't there before. It's really nice to see routes appearing just a few seconds after you start zebra and ospfd. You can check connectivity to other hosts with ping. Zebra routes are automatic, you can just add another router to the network, configure zebra, and voila!